Risk Management
Policy and Basic Concept
The ITOCHU Group is exposed to various risks due to its wide range of business natures, such as market, credit, and investment risks. These risks include unpredictable uncertainties and may have significant effects on the ITOCHU Group’s future financial position and business performance.
We acknowledge risk management as a key management issue. Therefore, we have established our basic risk management policy and develop necessary risk management systems and techniques based on the concept of the COSO-ERM framework.
Targets and Action Plan
Risks | Opportunities |
|
|
Structures and Systems
Risk Management Structure
Risks associated to business operations are managed under oversight from the board of directors, within the responsibilities mandated to our division companies, Headquarters Management Committee (HMC), and relevant committees.
ITOCHU has established internal committees and responsible departments in order to address the various risks associated with the Group’s business operations, such as market risk, credit risk, country risk, and investment risk. At the same time, on a Group basis ITOCHU has developed the risk management systems and methods to manage various risks individually and on a companywide basis. Those include a range of management regulations, investment criteria, risk exposure limits, and transaction limits, as well as reporting and monitoring systems. Moreover, ITOCHU regularly reviews the effectiveness of its risk management systems and the managing officer for each risk reports on results and findings to the board of directors.
At the Group level, ITOCHU’s structural approach to risk management is overseen by the President and Chief Operating Officer (COO) and the Board of Directors and aims to ensure timely and sound executive decision making. The HMC, which is chaired by the President and COO and comprised of the Chairman and Chief Executive Officer (CEO) and other executives appointed by the President and COO, is the committee that sits at the highest level regarding our risk management system. Subsequent committees that report up to the HMC, also referred to as Principal Internal Committees, which include the Internal Control Committee, Disclosure Committee, ALM Committee, Compliance Committee, Sustainability Committee, and Investment Consultative Committee, are responsible for identifying and addressing risks and incidents in their respective fields.
The Sustainability Committee, one of the Principal Internal Committees introduced above, is tasked to promote sustainability in the ITOCHU Group’s company-wide risk management. The Committee manages operational ESG risks such as human rights risks, health and safety risks, climate risks, and natural disaster risks, as well as ESG risks related to investments. The Committee cooperates with other Committees as necessary and makes decisions on policies and initiatives to address ESG risks and operational improvements to further mainstream sustainability concerns in our risk management culture. Activities and findings are compiled by the Committee and reported to the Board of Directors annually.
At the individual Company level, each Company’s President reports to the Division Company Management Committee (DMC), an advisory body to the Companies. The DMC deliberates on important issues such as those regarding investments, lending, assurance, and business management that have the potential to substantially impact the management of each company. If the risks identified or escalated exceed beyond the responsibilities mandated to the DMC, depending on the gravity of the risk and upon deliberation with other committees as necessary, risk issues may be escalated to the HMC and/or the Board of Directors.
ITOCHU is a company with Audit & Supervisory Board Members and endeavors to strengthen the monitoring/supervising function and ensure the transparency of decision making by having the Audit & Supervisory Board Members (including outside Audit & Supervisory Board Members) fully monitor corporate management. Auditors are therefore independent from the Committees within our risk management structure, including the HMC, but do attend Committees to perform their monitoring/supervising responsibilities. The Internal Audit Division, which serves as the organization’s internal audit system under the direct control of the President & COO, is responsible for internal audits and conducts independent audits of departments, division companies, and group companies responsible for risk management. The audit results are reported directly to the Chairman & CEO and President & COO, as well as to the Executive Officers’ meetings where Members of the Board and Audit & Supervisory Board Members are present, thereby establishing a dual reporting line. The Division also cooperates with the Audit & Supervisory Board to ensure the effectiveness of internal auditing.
Risk Management Governance Structural Chart (As of June 21, 2024)
- Internal Audit Division reports directly to Chairman & CEO and President & COO, and to Executive Officers’ meetings where Members of the Board and Audit & Supervisory Board Members are present
Response to Significant Risks for ITOCHU
We are responding to major risks by building information management and monitoring systems at each department responsible for managing these risks on a consolidated basis.
Risk Item | Responsible Department (Managing Officer) | Leading Risks | Risk Mitigation Measures |
Compliance Risks | Legal Division (CAO) |
Risks relating to compliance with various laws, ordinances and regulations |
Compliance officers in each organization (including companies) manage risks and give guidance on them based on the ITOCHU Group Compliance Program. |
Legal Risks (Excluding Compliance Risks) | Legal Division (CAO) |
Risks from various regulatory restrictions and changes to laws, risks incurred from regulatory tightening and deregulation, risks incurred due to different administration and interpretation of legal systems, and risk of losses (compensation liability etc.) occurring due to disputes (lawsuits and complaints) |
Mitigate the risk of losses expanding by checking contracts and other paperwork in advance in relation to conflicts (lawsuits and complaints). Raise awareness about risks from changes to laws and ordinances by holding various courses. Respond to those risks by accepting inquiries on a case-by-case basis. |
Risks Associated with Trade Security Policy Management | Legal Division (CAO) |
Risks relating to compliance with the Foreign Exchange and Foreign Trade Act (security-related) and risks relating to international security such as the legal regulations and sanctions of other countries |
Export Control & Sanctions Department performs centralized management. Perform appropriate management and give guidance in cooperation with the Export Control Program Officers in each company or department. |
Risks Associated with Customs | Legal Division (CAO) |
Risks relating to compliance with the three customs acts (Customs Act, Customs Tariff Act and Act on Temporary Measures Concerning Customs) |
Conduct in-house monitoring, provide training, accept inquiries on a daily basis, ensure employees and officers are aware of laws and ordinances, and hold periodic report briefings on customs in line with import customs clearance management and customs management manuals, and export customs clearance management manuals. |
Country Risks | Global Risk Management Division (CFO) |
Risk of losses occurring due to the actions of nations themselves or the environment in which those nations have been placed |
The Global Risk Management Division periodically aggregates the country risk exposure and discloses it as the outstanding balance of investments, loans and guarantees by major country. |
Commodity Price Risks (Specific, Important Product) | Global Risk Management Division (CFO) |
Risk of losses occurring due to product market price fluctuations |
Set monetary amount limits, quantity limits and period loss limits. Periodically review compliance with those limits. |
Credit Risks | Global Risk Management Division (CFO) |
Risk of losses occurring due to default on debts in contracts with associated companies |
Set credit amounts for each associated company and transaction type. In principle, review the credit amounts annually. |
Investment Risks | Global Risk Management Division (CFO) |
Risks relating to new investment execution and existing business monitoring and exit decision-making |
Make decisions on new investments based on investment standards. Periodically monitor existing investments. Promote asset replacement by applying the EXIT selection standards on investments not worth holding. |
Stock Price Risks | Global Risk Management Division (CFO) |
Risk of losses occurring due to stock price fluctuations |
Periodically grasp and monitor the amount of impact on consolidated shareholder’s equity due to stock price fluctuations. |
Foreign Exchange Rate Risks | Finance Division (CFO) |
Risk of losses occurring due to foreign exchange rate fluctuations |
Mitigate risks through hedge transactions using futures exchange contracts and other derivatives. |
Interest Rate Risks | Finance Division (CFO) |
Risk of losses occurring due to interest rate fluctuations |
Mitigate interest rate fluctuation risks by grasping the interest rate mismatch amount. |
Financing Risks | Finance Division (CFO) |
Risk that it will no longer be possible to raise financing smoothly due to turmoil in the financial markets |
Ensure sufficient liquidity by using cash and deposits and commitment lines. At the same time, mitigate risks by diversifying financing sources and methods. |
Information System and Security Risks | IT & Digital Strategy Division (CXO) |
|
|
Labor Management Risks | Human Resources & General Affairs Division (CAO) |
Risks which may occur in labor management (long working hours, unpaid overtime, etc.) |
Company and Headquarters human resources and general affairs staff summarize on-site inquiries and reports and then communicate them to the Human Resources and General Affair Division. Appropriately respond in consultation with legal advisors as necessary. |
Human Resources Risks | Human Resources & General Affairs Division (CAO) |
Risks arising from shortfalls and outflow and securing management and operational human resources |
Secure diverse human resources. Continuously develop abilities including by cooperation between ITOCHU and group companies. Place the right people in the right place by developing a rewarding working environment. |
Risks Associated with the Appropriateness of Financial Reporting | General Accounting Control Division (CFO) |
Risks relating to securing reliability in financial reporting by preparing and disclosing appropriate financial reports |
Appoint a person in charge of collecting information on the new establishment, revision and abolition of accounting standards. Disseminate that information by issuing notifications, and posting on the Intranet and sending emails. |
Risks Associated with Internal Control | General Accounting Control Division (CFO) |
Risk of incidents and fraud occurring due to employees and officers not performing operations in line with the rules and manuals relating to accounting |
Monitor internal control operations. |
Environmental and Social Risks | Sustainability Management Division (CAO) |
Risks relating to compliance of environmental and social related laws and ordinances and promotion of key issues in sustainability |
Plan a system to grasp environmental and social risks in our company and value chains when starting and continuing trades and business investment operations, and to monitor the status of the response to those risks. Monitor in cooperation with other departments as appropriate. |
Emerging Risks
The ITOCHU Group’s business environment is changing, and uncertainties are increasing. Through PEST analysis, we fully assess risks and opportunities in the context of macroenvironmental factors—such as economic recession risks, geopolitical risks, and environmental and social risks—and build an even stronger competitive edge by implementing flexible measures and transforming businesses in response to changes in the times and the business environment.
Please refer to the PEST analysis in our Integrated Report.
Initiatives
Risk Management Method
We conduct the following management throughout the year to build a PDCA cycle. We periodically move through the risk management cycle. Through these efforts, we are mitigating and preventing increasingly complex and diversifying risks.
- Plan: The departments responsible for managing the major risks formulate action plans to prevent and mitigate those risks every year. They then comprehensively identify potential risks. After that, the Internal Control Committee discusses the risks which should be tackled and management policies. The CSO then approves those policies.
- Do: Take measures based on the management policies.
- Check: Compile the status of measures and the following term’s action plans every six months. Report the status and action plans to the Internal Control Committee.
- Action: Take improvement measures and additional measures.
Risk Capital Management*1 and Management of Concentration Risk
Risk Assets and Risk Buffer*2
- The cost of shareholders’ equity set at 8%
- Risk Buffer = Total shareholders’ equity + Non-controlling interests
Strict Management of Risk Assets
Our basic operational policy involves first calculating risk assets based on the maximum amount of possible future losses from all assets on the balance sheet including investments and all off-balance-sheet transactions. Second, we manage the amount of risk assets within the limits of our risk buffer (Total shareholders’ equity + Non-controlling interests). As we promote investments that will lead to evolve existing business moving forward, we will work to maintain risk assets within the limits of our risk buffer, conduct strict risk management, and further strengthen our financial position.
Business Investment Management
Fundamental Approach
Along with strategic business alliances, business investment is an important means of creating new businesses. To actively promote strategic investments in areas of strength in a timely manner, we choose the optimal structure from a wide range of methods, such as establishing a wholly owned subsidiary, implementing joint investment with partners, and participating in management through M&As or converting to a consolidated subsidiary.
In principle, we hold investments continuously. After making each investment, we work to maximize the investee’s corporate value and to expand trading profit and dividends received by fully utilizing our Groupwide capabilities. Given such considerations as larger-scale investments in recent years, we are rigorously screening the appropriateness of the business plan and acquisition price. For existing investments, to increase investment earnings and to exit quickly from low-efficiency assets, we are further strengthening monitoring procedures, centered on instituting more rigorous exit criteria and thoroughly implementing periodic investment review.
Decision-Making Process for New Investments
A multilayered decision-making process that achieves quick decision-making by giving a certain level of discretion to the Division Companies while striving to pursue investment return and curb investment risk.
Regarding investment risks, the risk appetite is determined by considering factors such as market growth and stability, the impact on our company’s performance, and the feasibility of risk management.
Business Investment Process
Starting with the impact of COVID-19, the business environment changed dramatically.
Against this background, we steadily implemented strategic investment at the right time and divested businesses which are less efficient or past the peak.
At the same time, we strictly implemented various processes, including the verification of the validity of business plans at the time of investment decisions, and meticulously monitored those decisions after investing. This allowed us to maintain a high ratio of profit-making group companies at 92.0% in FYE 2024.
Number of Consolidated Subsidiaries and
Share of Group Companies Reporting Profits
Security Risk Management
Policy and Basic Concept
The ITOCHU Group has established a code of conduct for all members of the Board and employees regarding the handling of information, and views maintaining a high level of security as a key factor in addressing information security risks. Additionally, we have established an Information Security Policy. All officers and employees strive to properly handle, manage, protect, and maintain information in accordance with the policy.
Structures and Systems
The Chief Transformation Officer (CXO) holds overall responsibility for digitalization strategy and information security measures in the ITOCHU Group and chairs the IT Strategy Committee. The IT Strategy Committee deliberates policies, regulations and information security strategy, monitors the management situation, and reports to the Board of Directors as appropriate, ensuring a high level of information security.
Name | Chairman | Objectives |
IT Strategy Committee | Chief Transformation Officer (CXO) |
|
Initiatives
ITOCHU has formulated a company-wide information strategy for digital transformation (DX) and data-driven management and is aiming for IT-based management. In order to ensure a high level of information security that supports these management foundations, we continue to take thorough measures for crisis management, including the establishment of security guidelines, the expansion of security infrastructure, and the strengthening of technical security measures against malware, etc.
We routinely collect the latest information regarding potential cyber threats by analyzing system logs and malware. Additionally, when incidents do occur, we respond instantly by investigating their causes, discussing possible countermeasures, and restoring services. This is done by the ITOCHU Computer Emergency Readiness, Response & Recovery Team (ITCCERT) –a cybersecurity team whose members are senior cybersecurity analysts. As a framework for cybersecurity governance in the ITOCHU Group companies, “ITOCHU Group Cybersecurity Framework”, which is constituted of regulations, systems and processes, was rolled out in 2022. In addition, ITOCHU Cyber & Intelligence Inc. was established in February 2023 to provide the Cybersecurity Countermeasure Programs to Group companies, thereby ensuring sustainable and practical operations for the framework. We also provide training programs to develop technicians proficient in cybersecurity, including at Group companies. There are only a few cases in Japan where companies are working as actively as we are to develop systems and respond to information security risks. Moving forward, we plan to maintain these initiatives and make enhancements where necessary to ensure sustainable growth that is free from cyber threats.
We periodically engage in the training programs listed below to maintain and improve our information security program.
- We provide trainings to all employees on how to identify and respond to targeted e-mail attacks twice a year.
- All global employees including those in group companies are subject to a mandatory, simultaneous e-learning course on information security, which is held every three years.
- Several times a year, the ITCCERT leads an internal cybersecurity workshop for ITOCHU Group companies.
- Policies regarding information security and the management of personal information are required to be communicated to employees upon hiring. If amendments or updates are made to these policies, all executives and employees receive a notification of the changes made. Employees are also updated on such amendments in their periodic e-learning trainings.
- We conduct a drill on Business Continuity Plans once a year. In addition, exercises to evaluate and test security measures are conducted by a third-party at least once a year.
Business Continuity Plan
Please refer to Business Continuity Plan in Internal Control System for details.